Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-26791

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

Published

2025-02-14T09:15:08.067

Last Modified

2025-10-07T20:56:12.317

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cure53	dompurify	< 3.2.4	Yes

References

https://ensy.zip/posts/dompurify-323-bypass/ Exploit, Third Party Advisory ([email protected])
https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02 Patch ([email protected])
https://github.com/cure53/DOMPurify/releases/tag/3.2.4 Release Notes ([email protected])
https://nsysean.github.io/posts/dompurify-323-bypass/ Exploit, Third Party Advisory ([email protected])
https://ensy.zip/posts/dompurify-323-bypass/ Exploit, Third Party Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)